Skip to main content

IaC Security Configuration Options

The following table shows the configuration options available for the IaC Security scanner. These configuration options can be applied on the Account > Project > Scan levels. These configurations can be set via the web application (UI), CLI or API, as shown in the table below.

Notice

CLI flags are submitted on the scan level with the scan create command. API configs can be configured on the account or project level using the Configuration API or on the scan level as part of the request body of the POST /scans API. When using the POST /scans API the scan.config.kics prefix is left out.

Parameter

Values

Notes

CLI

API

Folder/file filter

Allow users to select specific folders or files to include or exclude from the code-scanning process.

  • Including a file type - *.java

  • Excluding a file type - !*.java

  • Use “,” sign to chain file types.

    for example: *.java,*.js

  • The parameter also supports including/excluding folders.

  • regex is not supported.

Notice

For details on the filter application logic, see here.

--iac-security-filter <string>

scan.config.kics.filter

Example:

  {
    "key": "scan.config.kics.filter",
    "value": "*.java",
    "allowOverride": true
  }

platforms

  • Ansible 

  • AzureResourceManager

  • Buildah

  • CICD

  • CloudFormation

  • Crossplane 

  • DockerCompose

  • Dockerfile

  • GoogleDeploymentManager

  • GRPC

  • Knative

  • Kubernetes

  • OpenAPI

  • Pulumi

  • ServerlessFW

  • Terraform

Notice

Configure one or more platforms, separated by a comma.

The parameter means that you only want to run scans (queries) for those platforms.

For example: Ansible, CloudFormation, Dockerfile

Warning

Any mistake in the platform characters will cause an error.

--iac-security-platforms <string>, <string>

scan.config.kics.platforms

Example:

  {
    "key": "scan.config.kics.platforms",
    "value": "GRPC",
    "allowOverride": true
  }

Preset Name

All the available IaC Security Presets that exist in the system

There are no Checkmarx Default Presets now. For more information on IaC presets, see here.

Warning

The preset ID for IaC Security must be a valid UUID. Once you create one, you can copy the PresetID from the IaC Presets page.

Filter Application Logic

  • Filters are applied in the order they appear in the expression.

  • When both include and exclude filters are used, include filters must come first.

Why this order matters

If the include filters come first (correct order) the system starts with an empty selection set, then adds content from the original sources based on the include filters. The exclude filters are then applied to that populated set, successfully removing any unwanted items. The resulting, correctly filtered selection set is what gets sent for scanning.

If the exclude filters are applied first (incorrect order), the system begins with an empty selection set and attempts to remove content - which has no effect. Only afterward does it apply the include filters, adding content from the source set to the selection set. This results in the exclude rules being effectively ignored.

In this section: